How responsible are cloud platforms for data security?
These days, just about every software platform or app available has some kind of cloud functionality. They might host your data in the cloud, give you cross-platform access to your account, or allow you to upload and download files anywhere.
This is remarkably convenient, and a major breakthrough for productivity and communication in the workplace, but it also comes with its share of vulnerabilities. A security flaw could make your data available to someone with malicious intentions.
Cloud security is a complex topic that comprises many different considerations, including the physical integrity of the data center where your data is held and the coding of the software that allows you to access it. A trustworthy cloud developer should take precautions and improve cloud security the best it can—but how responsible should the developer be for ensuring the integrity of their system?
Cloud Platform Responsibilities
There are many potential points of vulnerability that could compromise the integrity of a cloud account. However, not all of them are controllable by the cloud developer—as we’ll see.
Let’s start by focusing on the areas of security that a cloud developer and service provider could feasibly control:
- Physical data storage and integrity. Most cloud platforms rely on massive, highly secured data centers where they store user data and keep it safe. Because cloud platforms are the only ones with access to these data centers, they’re the ones responsible for keeping them secure. That often means creating redundancy, with multiple backups, and physical protective measures to guard against attacks and natural disasters.
- Software integrity. The cloud platform is also responsible for ensuring the structural integrity of the software. There shouldn’t be any coding gaps that allow someone to forcibly enter and/or manipulate the system.
- API, communication, and integration integrity. One of the biggest potential flaws in any app is its connection points to other users and other integrations. If the app allows message exchanges, it should be secured with end-to-end encryption. If there are any active API calls to integrate with other applications, these need to be highly secure.
- User controls and options. It’s also important for cloud apps to include multiple options and features for users to take charge of their own security. For example, this may include the ability to create and manage multiple types of users with different administrative privileges.
However, there are some other points of vulnerability outside the realm of a cloud provider’s direct control. For example:
- Network encryption and security. There isn’t much a cloud platform can do if end users are relying on a public network, or one that isn’t secured with encryption and a strong password. This is a responsibility that falls squarely on the shoulders of the end user.
- Hardware and endpoint security. While the software development process requires a developer to have some level of understanding of the hardware being used to access their apps, they’re limited in their understanding of those inherent vulnerabilities. There also isn’t much a cloud platform can do if their end users are using outdated devices, or devices with massive security flaws.
- Password and account protection habits. It’s almost entirely the end users’ responsibilities to create strong passwords and protect their own accounts. If they end up choosing weak passwords, or if they never change those passwords, no amount of built-in security can help them. The same is true if they fall for phishing schemes, or if they voluntarily give their password to someone. Along similar lines, it’s important that a developer’s end users understand the nature of online scams, but this is generally outside the realm of their control.
- Malware. When malware is installed on a device, it could gain access to everything else on that device, including being able to spy on actions performed within the cloud app. Unless a cloud app deliberately scans for malware, there’s no way for it to tell that it’s installed. It’s the end user’s responsibility to take preventative measures, such as avoiding suspicious download links and installing antivirus software to run occasional scans.
Even if these aren’t directly within the control of a cloud platform provider, there are steps a cloud authority can take to improve them, or mitigate their potential vulnerabilities. For example, a cloud provider can’t guarantee good password creation and adjustment habits, but they may be able to educate their users on the importance of good password habits and/or force them to update their passwords regularly.
Overall, cloud platforms should be held to high security standards, but there are limits to what they can control. Digital security in all its forms needs to be a team effort; even a single vulnerability can compromise the entire system.
(This post originally appeared on the ISACA blog site, which can be viewed here).